CVE-2026-41645
Analyzed Analyzed - Analysis Complete
Expression Injection in Nuclei Scanner

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41645
EUVD
EUVD-2026-28498
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectdiscovery nuclei From 3.0.0 (inc) to 3.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41645 is a vulnerability in the Nuclei vulnerability scanner's expression evaluation engine present in versions from 3.0.0 up to but not including 3.8.0. The issue arises because Nuclei processes templates in two passes: first replacing placeholders, then scanning the substituted output for DSL/helper expressions. This allows a malicious target server to inject and execute supported DSL expressions by including helper/function syntax in HTTP response data reused by multi-step templates.

If the command-line option -env-vars (or -ev) is explicitly enabled, environment variables from the host are merged into the template variable map. This can lead to exposure of host environment variables when malicious expressions like {{env_var_name}} are injected and reused in subsequent template requests. The option is off by default, so standard configurations are not affected by this information disclosure risk.

The vulnerability is caused by improper handling of template-authored expressions, where response-derived data can be reinterpreted as executable DSL expressions, leading to unintended code execution or information disclosure.

This issue was fixed in Nuclei version 3.8.0 by changing the evaluation logic to only evaluate expressions explicitly authored in the template before placeholder substitution, preventing execution of injected expressions from response data.

Impact Analysis

This vulnerability can impact users by allowing a malicious target server to inject and execute DSL expressions within Nuclei templates, potentially leading to unintended code execution.

If the -env-vars / -ev option is enabled, it can expose sensitive host environment variables such as API keys, credentials, and tokens to the attacker, resulting in information disclosure.

Even without the -ev option enabled, injected expressions may execute helper functions causing unexpected behavior, though without meaningful security impact.

The vulnerability affects CLI users running multi-step templates against untrusted or attacker-controlled targets with -ev enabled, as well as SDK users integrating Nuclei with environment variable exposure enabled in untrusted environments.

The CVSS v3.1 base score is 5.3, indicating a medium severity with network attack vector, high attack complexity, no privileges required, user interaction required, and high confidentiality impact.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-41645 in Nuclei, you should upgrade to version 3.8.0 or later, where the issue has been fixed by changing the expression evaluation logic to only evaluate expressions explicitly authored in templates, preventing injection from response-derived data.

If upgrading immediately is not possible, you should disable the -env-vars (or -ev) option when scanning untrusted or attacker-controlled targets, as this option enables environment variable exposure and is off by default.

Avoid running multi-step templates against untrusted targets with the -ev option enabled to prevent malicious injection and execution of DSL expressions.

Compliance Impact

The vulnerability in Nuclei versions 3.0.0 to before 3.8.0 allows a malicious target server to inject and execute DSL expressions that can expose host environment variables if the -env-vars / -ev option is explicitly enabled. This exposure can lead to disclosure of sensitive information such as API keys, credentials, and tokens.

Such unauthorized disclosure of sensitive environment variables could potentially violate data protection regulations and standards like GDPR and HIPAA, which require safeguarding of sensitive and personal data. If environment variables contain personal data or credentials related to protected health information or personal identifiers, their exposure could lead to non-compliance with these regulations.

However, the risk is mitigated by the fact that the -env-vars / -ev option is off by default, so standard configurations are not affected by the information disclosure risk. Users are strongly advised to upgrade to version 3.8.0 where this issue is fixed, or to disable the -env-vars option when scanning untrusted targets.

Detection Guidance

To detect the presence of the CVE-2026-41645 vulnerability in your environment, you should first identify if you are running Nuclei versions from 3.0.0 up to but not including 3.8.0, as these versions contain the vulnerable expression evaluation engine.

Since the vulnerability involves the evaluation of injected DSL expressions in HTTP response data reused by multi-step templates, detection can focus on monitoring Nuclei scan configurations and network traffic for suspicious template usage or unexpected environment variable exposure.

Specifically, check if the Nuclei scanner is run with the `-env-vars` or `-ev` option enabled, which is off by default but when enabled can expose host environment variables through maliciously crafted responses.

For practical detection, you can run commands to check the installed Nuclei version and scan command options, for example:

  • Check Nuclei version: `nuclei -version`
  • Check running processes or scripts for usage of `-env-vars` or `-ev` flags, e.g., `ps aux | grep nuclei` or review automation scripts.

Additionally, to detect if a target server is attempting to exploit this vulnerability, monitor HTTP responses for injected DSL expressions such as `{{env_var_name}}` or other helper syntax patterns like `{{md5("test")}}` in response bodies or extractor outputs.

You can use network inspection tools or simple command-line utilities to search for these patterns in HTTP responses, for example:

  • Using `curl` and `grep` to inspect response content for DSL expressions: `curl -s http://target | grep -E '\{\{.*\}\}'`
  • Using packet capture tools like `tcpdump` or `Wireshark` to filter HTTP traffic and inspect for suspicious DSL expression patterns.

Finally, the best detection and mitigation is to upgrade Nuclei to version 3.8.0 or later, where the vulnerability is fixed by restricting expression evaluation to only template-authored expressions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart